v0.8.5

CHANGES:

• Avoid accessing unmapped memory in ChaCha20 (#83 by @hannesm, introduced in
  0.8.1)

v0.8.4

CHANGES:

• Mirage_crypto_rng: avoid using rdseed if it returned 0 during bootstrap
  (#82 @hannesm)
• Avoid misaligned cast in xor (#79 reported by @talex5 on arm32, fixed in #81
  by @hannesm)

v0.8.3

CHANGES:

• Fix ppc64le cycle_counter (add missing Val_long) (#78 @hannesm)
  • test_entropy is now test_entropy_collection
  • test_entropy checks timer and bootstrap functions
• Avoid polluting symbol table with global non-prefixed symbols
  (reported by @anmonteiro in #77, fixed #78 @hannesm (suggested by @dinosaure))
• Avoid "caml_" prefix in entropy_stubs, use "mc_" instead (#78 @hannesm)

v0.8.2

CHANGES:

• Add support for ppc64le. (#76 @avsm)

v0.8.1

CHANGES:

• Add Chacha20 implementation (based on abeaumont/ocaml-chacha), supporting
  both DJB's original specification (nonce 64 bit, counter 64 bit) and IETF
  (RFC 8439: nonce 96 bit, counter 32 bit)
  (#72 @hannesm)
• Add Poly1305 implementation based on floodyberry/poly1305-donna (#72 @hannesm)
• Unified AEAD module type, implemented by CCM, GCM, and Chacha20/Poly1305
  The functions "authenticate_encrypt" and "authenticate_decrypt" are defined,
  which append (encrypt) and check equality (decrypt, using Eqaf for
  constant-time comparison) the authentication tag directly.
  Breaking changes:
  • GCM "~iv" is now "~nonce"
  • GCM encrypt returns the encrypted data and authentication tag appended
  • GCM decrypt returns the plaintext as option (None on authentication failure)
    (#73 @hannesm)

v0.8.0

CHANGES:

• New package mirage-crypto-rng-mirage which contains the entropy collection
  code for MirageOS (#69 requested by @samoht, implemented by @hannesm)
• Mirage_crypto_rng_lwt.initialize is not inside the Lwt monad anymore, and
  thus can be called by libraries at top level (#69, requested by @avsm @xguerin
  @talex5 in mirage/ocaml-conduit#318, implemented by @hannesm)
• Both Mirage_crypto_rng_lwt.initialize and Mirage_crypto_rng_unix.initialize
  don't do anything if called a second time (#69, implemented by @hannesm)
• Entropy source registration is now open and done via
  Entropy.register_source : string -> source, instead of a closed variant
  (#69, fixes #68, implemented by @hannesm)

v0.7.0

CHANGES:

• CPU feature detection (AESNI, SSE3, PCLMULQ) at runtime instead of compile
  time (#53 @Julow, fixed MirageOS support #61, review by @hannesm)
  performance hit up to 5%
• Revise entropy collection (#64 @hannesm review by @dinosaure @cfcs)
  mirage-crypto-entropy has been folded into mirage-crypto-rng.{unix,lwt,mirage}
  • the RNG is no longer fork() safe, if you use fork in your code, be sure to
    reseed the RNG in the child process
  • on Unix and Lwt, the used RNG is Fortuna, seeded by getrandom(),
    rdrand/rdseed, and whirlwind
  • Mirage_crypto_rng_lwt does entropy collection for Lwt applications
  • entropy collection is now similar to FreeBSD:
    • rdrand/rdseed is executed in a separate task (by default every second)
    • on Unix, getrandom() is executed in another separate task (by default
      every 10 seconds)
    • on every enter of the Lwt event loop, some bits of rdtsc are collected
      (rdrand/rdseed is not on each even loop enter anymore)
  • Fortuna only uses entropy pools if the given period is exhausted (defaults
    to 1s), and the pool size exceeds 64 bytes
  • The unseeded generator exception prints instructions how to seed the RNG
• 32 bit support (for ghash), requested by @TImada in #60, #65 @hannesm
• use Eqaf_cstruct.find_uint8 instead of Cs.ct_find_uint8 (#52 @dinosaure)
• add (:standard) in C flags to allow cross-compilation #47 @samoht
• Mirage_crypto.Uncommon: remove several functions (Cs.create, Option),
  requires OCaml 4.08 (#49 #51 @hannesm)
• remove ocplib-endian dependency, use Bytes directly (since 4.07) #51 @hannesm
• bitfn.h cleanup (#56 #58 @hannesm)
• fix build if opam is not available (#66 @hannesm)
• update test.yml GitHub actions (#44 #57 @imbsky)
• Travis CI for arm64 (#55 @hannesm)

v0.6.2

CHANGES:

• Do not validate hardcoded DH groups to speedup initializatio time
  (reported in #43 by @rbardou, fixed in #42 by @hannesm)

v0.6.1

CHANGES:

• Add Windows 10+ support (#39 @avsm, review by @hannesm @dinosaure)
• Fix unix stubs to be allocating in case of exception (#39 @avsm
  review by @hannesm @dinosaure)
• Add GitHub Actions CI (#39 @avsm)
• Rebuild source if the MIRAGE_CRYPTO_ACCELERATE environment
  variable changes value (#40 @avsm)

v0.6.0

CHANGES:

Initial release as mirage-crypto, based on nocrypto 0.5.4 (from January 2017),
written by David Kaloper, and mirage-entropy 0.5.1 (February 2020). The goal is
to maintain mirage-crypto collaboratively with required reviews for all pull
requests, and a CI setup for multiple platforms, thus issues are caught early.
The minimum targeted OCaml version is 4.07.0. Mirage-crypto and nocrypto can be
installed in the same opam switch, and also linked into the same binary.

The major difference is a split into four opam packages:

• mirage-crypto contains the hash algorithms and ciphers
• mirage-crypto-pk contains the public key cryptography
• mirage-crypto-rng contains the Random Number Generators
• mirage-crypto-entropy contains entropy seeding code used by MirageOS
  (previously mirage-entropy)

Only mirage-crypto-pk depends on zarith and gmp, the dependency cone of the
other packages is small.

Changes from nocrypto 0.5.4/mirage-entropy 0.5.1:

• Dune is used as build system (no longer pack()ed, no optional dependencies)
• Base64 has been removed, use base64
• Numeric has been removed, Mirage_crypto_pk.Z_extra provides to/of_cstruct_be
• RNG generators over numeric types (Rng.Int / Int32 / Int64) have been removed
  use randomconv
• For random generation of Z.t, previously Rng.Z, now
  Mirage_crypto_pk.Z_extra.gen and gen_r are provided

mirage-crypto

• Hash: Change of the hashing interface Hash.S:
  • t is now immutable;
  • feed and get are therefore referentially transparent; and
  • digestv was replaced by digesti.
    Old behavior of feed and get can be replicated by wrapping a t in a
    reference cell. digestv can be obtained by combining digesti with
    List.iter.
  • New functions: Hash.S.hmaci, Hash.digesti, Hash.maci
  • The type Hash.hash cannot be converted to a S-expression anymore
• Counter module got removed
• CTR mode: custom type ctr for the counter
• GCM is accelerated (with pclmulqdq and SSE3)
• CCM now computes correct tag with empty additional data
• CCM fails with Invalid_argument when short or long nonce is used (previously
  assert false)
• CCM decryption of empty ciphertext no longer fails
• GCM fails on empty IV

mirage-crypto-pk

• key data structures are private, smart constructors validate the key data
• DSA blinding now blinds the entire computation of s (previously r was blinded),
  same as what OpenSSL does
• RSA decrypt/sign has an optional argument (crt_hardening) to check whether
  the computed signature is valid (default true for PKCS1 signatures), avoiding
  Lenstra's CRT attack (mentioned again by Weimer)
• use Eqaf_cstruct.equal instead of home-grown ct_eq
• bindings with a bits argument are labeled to avoid confusion of bits and bytes
• Dh secret is now a pair of group and secret, Dh.shared no longer gets the
  group as separate argument
• the powm_sec function is used to improve timing side channels mitigation (see
  https://gmplib.org/~tege/modexp-silent.pdf for further detalls). RSA still
  uses (lacking alternatives) Z.erem and Z.mul/add/sub without timing
  mitigations, introduces 20-25% performance penalty (as shown below, and
  discussed in the pdf)

mirage-crypto-rng

• Default RNG is now Null (previously: Fortuna)
• The Mirage_crypto_rng_unix.initialize () sets the default RNG to direct
  syscalls to getrandom() (on Linux) or getentropy() (on BSD and macOS).
  Previously, /dev/urandom or /dev/random were used.to seed a Fortuna RNG.
  The Mirage_crypto_rng is now fork-safe on Unix systems: the child process no
  longer starts with the RNG seed of the parent.
• As noted above, the generators for numeric types have been removed.

mirage-crypto-entropy

• Control flow inverted, now Mirage_crypto_entropy sets the default RNG in
  Mirage_crypto_rng, and feeds this rng - previously, a RNG could register
  a callback to invoke whenever entropy was harvested.
• AMD CPUs with bad rdrand/rdseed, which always return -1, are detected and not
  used
• Initialization: in addition to whirlwind, rdrand/rdseed is used four times to
  seed the RNG (including check of the CR flag to ensure random was generated);
  if no hardware RNG is available, whirlwind is executed thrice.

These changes were prepared and reviewed by @pqwy, @hannesm, @cfcs, @dinosaure,
@emillon, @haesbaert, @mseri, @samoht, @reynir, @avsm, @TheLortex, @marmarek.

Performance of mirage-crypto 0.6.0 on an i7-5600U CPU @ 2.60GHz (OCaml 4.09.0):

• [aes-128-ecb]
  16: 130.635750 MB/s (17131413 iters in 2.001 s)
  64: 446.478551 MB/s (14619573 iters in 1.999 s)
  256: 1390.639142 MB/s (11394212 iters in 2.000 s)
  1024: 2570.981481 MB/s (5255924 iters in 1.996 s)
  8192: 3602.365523 MB/s (923220 iters in 2.002 s)

• [aes-128-cbc-e]
  16: 118.576157 MB/s (15562918 iters in 2.003 s)
  64: 284.131835 MB/s (9337111 iters in 2.006 s)
  256: 443.035755 MB/s (3634381 iters in 2.003 s)
  1024: 517.982442 MB/s (1060993 iters in 2.000 s)
  8192: 549.691380 MB/s (141017 iters in 2.004 s)

• [aes-128-cbc-d]
  16: 120.294692 MB/s (15280286 iters in 1.938 s)
  64: 408.896399 MB/s (13385151 iters in 1.998 s)
  256: 1239.911665 MB/s (10218204 iters in 2.012 s)
  1024: 2307.252487 MB/s (4750356 iters in 2.011 s)
  8192: 3200.883102 MB/s (822730 iters in 2.008 s)

• [aes-128-ctr]
  16: 128.202344 MB/s (16596766 iters in 1.975 s)
  64: 423.311050 MB/s (13761489 iters in 1.984 s)
  256: 1263.233926 MB/s (10270525 iters in 1.985 s)
  1024: 2168.164371 MB/s (4474403 iters in 2.015 s)
  8192: 3029.360927 MB/s (769213 iters in 1.984 s)

• [aes-128-gcm]
  16: 42.201314 MB/s (5897756 iters in 2.132 s)
  64: 152.244886 MB/s (5026236 iters in 2.015 s)
  256: 546.479756 MB/s (4394580 iters in 1.963 s)
  1024: 1223.989968 MB/s (2499487 iters in 1.994 s)
  8192: 1974.670878 MB/s (507143 iters in 2.006 s)

• [aes-128-ghash]
  16: 48.954628 MB/s (6311856 iters in 1.967 s)
  64: 176.553952 MB/s (5735112 iters in 1.983 s)
  256: 700.256364 MB/s (5667665 iters in 1.976 s)
  1024: 2095.813910 MB/s (4238823 iters in 1.975 s)
  8192: 5038.045638 MB/s (1284257 iters in 1.991 s)

• [aes-128-ccm]
  16: 10.188661 MB/s (1335151 iters in 2.000 s)
  64: 33.832886 MB/s (1107442 iters in 1.998 s)
  256: 80.837804 MB/s (658093 iters in 1.988 s)
  1024: 125.678615 MB/s (256478 iters in 1.993 s)
  8192: 150.055764 MB/s (38013 iters in 1.979 s)

• [aes-192-ecb]
  16: 123.502998 MB/s (16110634 iters in 1.990 s)
  64: 409.911649 MB/s (13468258 iters in 2.005 s)
  256: 1270.949485 MB/s (10447481 iters in 2.007 s)
  1024: 2301.964244 MB/s (4655905 iters in 1.975 s)
  8192: 3106.818520 MB/s (803606 iters in 2.021 s)

• [aes-256-ecb]
  16: 119.076345 MB/s (15491470 iters in 1.985 s)
  64: 394.571062 MB/s (12925749 iters in 1.999 s)
  256: 1202.173821 MB/s (9784687 iters in 1.987 s)
  1024: 2091.674323 MB/s (4242987 iters in 1.981 s)
  8192: 2775.548835 MB/s (708481 iters in 1.994 s)

• [d3des-ecb]
  16: 18.146565 MB/s (2349955 iters in 1.976 s)
  64: 20.393800 MB/s (665318 iters in 1.991 s)
  256: 20.864270 MB/s (172912 iters in 2.023 s)
  1024: 20.749041 MB/s (42337 iters in 1.993 s)
  8192: 21.299626 MB/s (5102 iters in 1.871 s)

• [fortuna]
  16: 45.461127 MB/s (6009127 iters in 2.017 s)
  64: 163.608657 MB/s (5478371 iters in 2.044 s)
  256: 576.021850 MB/s (4815192 iters in 2.041 s)
  1024: 1394.787051 MB/s (2838832 iters in 1.988 s)
  8192: 2375.298268 MB/s (607658 iters in 1.999 s)

• [rng]
  16: 18.258923 MB/s (2416789 iters in 2.020 s)
  64: 54.093151 MB/s (1770883 iters in 1.998 s)
  256: 106.310471 MB/s (870193 iters in 1.998 s)
  1024: 109.436412 MB/s (225474 iters in 2.012 s)
  8192: 109.587676 MB/s (28091 iters in 2.003 s)

• [md5]
  16: 60.932675 MB/s (7919161 iters in 1.983 s)
  64: 166.939662 MB/s (5392579 iters in 1.972 s)
  256: 315.792950 MB/s (2725727 iters in 2.107 s)
  1024: 432.116247 MB/s (888683 iters in 2.008 s)
  8192: 457.205673 MB/s (123686 iters in 2.113 s)

• [sha1]
  16: 51.685511 MB/s (7112274 iters in 2.100 s)
  64: 142.165035 MB/s (4545000 iters in 1.951 s)
  256: 290.103032 MB/s (2374321 iters in 1.998 s)
  1024: 392.263515 MB/s (798932 iters in 1.989 s)
  8192: 441.651051 MB/s (111759 iters in 1.977 s)

• [sha256]
  16: 32.740541 MB/s (4248963 iters in 1.980 s)
  64: 82.039587 MB/s (2667306 iters in 1.984 s)
  256: 148.107628 MB/s (1206556 iters in 1.989 s)
  1024: 187.633143 MB/s (378650 iters in 1.971 s)
  8192: 203.079830 MB/s (51460 iters in 1.980 s)

• [sha512]
  16: 27.174808 MB/s (3539910 iters in 1.988 s)
  64: 107.114479 MB/s (3511519 iters in 2.001 s)
  256: 181.582232 MB/s (1481042 iters in 1.991 s)
  1024: 262.146451 MB/s (538311 iters in 2.005 s)
  8192: 301.017129 MB/s (76650 iters in 1.989 s)

• [rsa-generate]
  1024: 112.465 ops per second (1269 iters in 11.283)
  2048: 11.407 ops per second (125 iters in 10.958)
  4096: 1.342 ops per second (9 iters in 6.709)

• [rsa-encrypt]
  1024: 85190.882 ops per second (1086956 iters in 12.759)
  2048: 28593.006 ops per second (349650 iters in 12.229)
  4096: 8813.099 ops per second (102040 iters in 11.578)

• [rsa-decrypt]
  1024: 4032.054 ops per second (29708 iters in 7.368)
  2048: 731.030 ops per second (7274 iters in 9.950)
  4096: 116.340 ops per second (1145 iters in 9.842)

• [rsa-pkcs1-encrypt]
  1024: 77539.233 ops per second (735294 iters in 9.483)
  2048: 24854.606 ops per second (268817 iters in 10.816)
  4096: 7693.667 ops per second (85324 iters in 11.09...